Reverse Deception: Organized Cyber Threat Counter-Exploitation (77 page)

            
Disclosure history
Evaluation of the injection vector’s background

        
MO, signature, content, patterns
Evaluation of attacker observables

        
Tools
Evaluation of tools used by the attacker (public or custom)

        
Utilization of access
Evaluation of the access times by the attacker

        
Data transfer technique
Evaluation of how the attacker exfiltrated data

        
Logging alteration/deletion technique
Did the attacker care enough to cover his steps?

When working with honeynets, analysts need to ensure their time is spent covering as much of the overall tasks required on a daily basis in order to continue positive forward movement. Analysts should spend their time in the following three areas, as shown in the chart in
Figure 8-2
:

Figure 8-2
Data analyst responsibilities

Real time
This involves the active analysis of real-time events within minutes of the event occurring through some information management interface.

Daily
This involves correlation of all flows in total across all customer nodes. Queries should be run every day and manually checked.

Cases
Analysts work on cases that require interaction and communication with external groups such as operations, customers, developers, and other stakeholders.

Analysis Environment
   Most analysis environments work better on networked kernel-based VMs (KVMs) due to the ease of information sharing and system navigation.

The following are some common commercial off-the-shelf tools that can be used to perform analysis of honeynet data:

VMware Physical 2 Virtual

VMware Player or Workstation

VirtualBox VMM solution